b'AUDIT OF THE SOCIAL SECURITY\nADMINISTRATION\xe2\x80\x99S FISCAL YEAR\n 2002 FINANCIAL STATEMENTS\n\x0cNovember 19, 2002\n\nTo: Jo Anne B. Barnhart\n    Commissioner\n\nThis letter transmits the PricewaterhouseCoopers LLP (PwC) Report of Independent Accountants\non the audit of the Social Security Administration\xe2\x80\x99s (SSA) Fiscal Year (FY) 2002 and 2001\nfinancial statements. PwC\xe2\x80\x99s Report includes the firm\xe2\x80\x99s Opinion on the Financial Statements,\nReport on Management\xe2\x80\x99s Assertion About the Effectiveness of Internal Control, and Report on\nSSA\xe2\x80\x99s Compliance with Laws and Regulations.\n\nObjective of a Financial Statement Audit\n\nThe objective of a financial statement audit is to determine whether the financial statements are\nfree of material misstatement. An audit includes examining, on a test basis, evidence supporting\nthe amounts and disclosures in the financial statements. An audit also includes assessing the\naccounting principles used and significant estimates made by management as well as evaluating\nthe overall financial statement presentation.\n\nPwC\xe2\x80\x99s examination was made in accordance with generally accepted auditing standards,\nGovernment Auditing Standards issued by the Comptroller General of the United States, and\nOffice of Management and Budget (OMB) Bulletin 01-02, Audit Requirements for Federal\nFinancial Statements. The audit included obtaining an understanding of the internal control over\nfinancial reporting and testing and evaluating the design and operating effectiveness of the\ninternal control. Because of inherent limitations in any internal control, there is a risk that errors\nor fraud may occur and not be detected. The risk of fraud is inherent to many of SSA\xe2\x80\x99s programs\nand operations, especially within the Supplemental Security Income (SSI) program. In our\nopinion, people outside the organization perpetrate most of the fraud against SSA.\n\nAudit of Financial Statements, Effectiveness of Internal Control, and Compliance with\nLaws and Regulations\n\nThe Chief Financial Officers (CFO) Act of 1990 (P.L. 101-576), as amended, requires SSA\xe2\x80\x99s\nInspector General (IG) or an independent external auditor, as determined by the IG, to audit\nSSA\xe2\x80\x99s financial statements in accordance with applicable standards. Under a contract monitored\nby the Office of the Inspector General (OIG), PwC, an independent certified public accounting\nfirm, audited SSA\xe2\x80\x99s FY 2002 financial statements. PwC also audited the FY 2001 financial\nstatements, presented in SSA\xe2\x80\x99s Performance and Accountability Report for FY 2002 for\ncomparative purposes. PwC issued an unqualified opinion on SSA\xe2\x80\x99s FY 2002 and 2001\nfinancial statements. PwC also reported that SSA\xe2\x80\x99s assertion that its systems of accounting and\n\x0cinternal control are in compliance with the internal control objective in OMB Bulletin 01-02 is\nfairly stated in all material respects. However, the audit identified one reportable condition in\nSSA\xe2\x80\x99s internal control:\n\n            SSA Needs to Further Strengthen Controls to Protect Its Information\n\nThis is a repeat finding from prior years. It is PwC\xe2\x80\x99s opinion that SSA has made notable\nprogress in addressing the information protection issues raised in prior years. Despite these\naccomplishments, SSA\xe2\x80\x99s systems environment remains threatened by security and integrity\nexposures to SSA operations.\n\nOIG Evaluation of PwC Audit Performance\n\nTo fulfill our responsibilities under the CFO Act and related legislation for ensuring the quality\nof the audit work performed, we monitored PwC\xe2\x80\x99s audit of SSA\xe2\x80\x99s FY 2002 financial statements\nby:\n        \xe2\x80\xa2 Reviewing PwC\xe2\x80\x99s approach and planning of the audit;\n       \xe2\x80\xa2   Evaluating the qualifications and independence of its auditors;\n       \xe2\x80\xa2   Monitoring the progress of the audit at key points;\n       \xe2\x80\xa2   Examining its workpapers related to planning the audit and assessing SSA\xe2\x80\x99s internal\n           control;\n       \xe2\x80\xa2   Reviewing PwC\xe2\x80\x99s audit report to ensure compliance with Government Auditing\n           Standards and OMB Bulletin 01-02;\n       \xe2\x80\xa2   Coordinating the issuance of the audit report; and\n       \xe2\x80\xa2   Performing other procedures that we deemed necessary.\n\nPwC is responsible for the attached auditor\xe2\x80\x99s report dated, November 14, 2002, and the opinions\nand conclusions expressed therein. The OIG is responsible for technical and administrative\noversight regarding PwC\xe2\x80\x99s performance under the terms of the contract. Our review, as\ndifferentiated from an audit in accordance with applicable auditing standards, was not intended\nto enable us to express, and accordingly we do not express, an opinion on SSA\xe2\x80\x99s financial\nstatements, management\xe2\x80\x99s assertions about the effectiveness of its internal control over financial\nreporting, or SSA\xe2\x80\x99s compliance with certain laws and regulations. However, our monitoring\nreview, as qualified above, disclosed no instances where PwC did not comply with applicable\nauditing standards.\n\n\n\n\n                                                       James G. Huse, Jr.\n                                                       Inspector General\n\x0c                                                                                             PricewaterhouseCoopers LLP\n                                                                                             1301 K Street, NW\n                                                                                             Washington, DC 20005\n                                                                                             Telephone (202)414-1000\n\n\n\n\n                      REPORT OF INDEPENDENT ACCOUNTANTS\n\n\nTo Ms. Jo Anne B. Barnhart\nCommissioner\n\nIn our audit of the Social Security Administration (SSA), we found:\n\n\xe2\x80\xa2   The consolidated balance sheets of SSA as of September 30, 2002 and 2001, and the related\n    consolidated statements of net cost, consolidated statements of changes in net position, combined\n    statements of budgetary resources, and consolidated statements of financing for the fiscal years then\n    ended are presented fairly, in all material respects, in conformity with accounting principles generally\n    accepted in the United States of America;\n\xe2\x80\xa2   Management fairly stated that SSA\xe2\x80\x99s systems of accounting and internal control in place as of\n    September 30, 2002 are in compliance with the internal control objectives in the Office of\n    Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements for Federal Financial\n    Statements, requiring that transactions be properly recorded, processed, and summarized to permit the\n    preparation of the consolidated and combined financial statements in accordance with accounting\n    principles generally accepted in the United States of America and that assets be safeguarded against\n    loss from unauthorized acquisition, use or disposal; and\n\xe2\x80\xa2   No reportable instances of noncompliance with the laws and regulations we tested.\n\nThe following sections outline each of these conclusions in more detail.\n\nOPINION ON THE FINANCIAL STATEMENTS\n\nWe have audited the accompanying consolidated balance sheets of SSA as of September 30, 2002 and\n2001, and the related consolidated statements of net cost, consolidated statements of changes in net\nposition, combined statements of budgetary resources, and consolidated statements of financing for the\nfiscal years then ended. These financial statements are the responsibility of SSA\xe2\x80\x99s management. Our\nresponsibility is to express an opinion on these financial statements based on our audits.\n\nWe conducted our audits in accordance with auditing standards generally accepted in the United States of\nAmerica, the standards applicable to financial audits contained in Government Auditing Standards, issued\nby the Comptroller General of the United States, and OMB Bulletin No. 01-02. Those standards require\nthat we plan and perform the audit to obtain reasonable assurance about whether the financial statements\nare free of material misstatement. An audit includes examining, on a test basis, evidence supporting the\namounts and disclosures in the financial statements. An audit also includes assessing the accounting\nprinciples used and significant estimates made by management, as well as evaluating the overall financial\nstatement presentation. We believe that our audits provide a reasonable basis for our opinion.\n\nIn our opinion, the consolidated and combined financial statements referred to above and appearing on\npages 51 through 71 of this performance and accountability report, present fairly, in all material respects,\nthe financial position of SSA at September 30, 2002 and 2001, and its net cost, changes in net position,\n\x0cbudgetary resources, and reconciliation of net cost to budgetary resources for the fiscal years then ended in\nconformity with accounting principles generally accepted in the United States of America. The\nconsolidated and combined financial statements referred to above give retroactive effect to the change in\nentity, as described in Note 1 to the consolidated and combined financial statements.\n\nREPORT ON MANAGEMENT\xe2\x80\x99S ASSERTION ABOUT THE EFFECTIVENESS\nOF INTERNAL CONTROL\nWe have examined management\xe2\x80\x99s assertion that SSA\xe2\x80\x99s systems of accounting and internal control are in\ncompliance with the internal control objectives in OMB Bulletin No. 01-02, requiring management to\nestablish internal accounting and administrative controls to provide reasonable assurance that transactions\nbe properly recorded, processed, and summarized to permit the preparation of the consolidated and\ncombined financial statements in accordance with accounting principles generally accepted in the United\nStates of America and that assets be safeguarded against loss from unauthorized acquisition, use or\ndisposal. SSA\xe2\x80\x99s management is responsible for maintaining effective internal control over financial\nreporting. Our responsibility is to express an opinion on management\xe2\x80\x99s assertion based on our examination.\n\nOur examination was conducted in accordance with attestation standards established by the American\nInstitute of Certified Public Accountants (AICPA), the standards applicable to financial audits contained in\nGovernment Auditing Standards, issued by the Comptroller General of the United States, and OMB\nBulletin No. 01-02 and, accordingly, included obtaining an understanding of the internal control over\nfinancial reporting, testing and evaluating the design and operating effectiveness of internal control, and\nperforming such other procedures as we considered necessary in the circumstances. We believe that our\nexamination provides a reasonable basis for our opinion. Our examination was of the internal control in\nplace as of September 30, 2002.\n\nBecause of inherent limitations in any internal control, misstatements due to error or fraud may occur and\nnot be detected. Also, projections of any evaluation of internal control over financial reporting to future\nperiods are subject to the risk that the internal control may become inadequate because of changes in\nconditions, or that the degree of compliance with the policies or procedures may deteriorate.\n\nIn our opinion, management\xe2\x80\x99s assertion that SSA\xe2\x80\x99s systems of accounting and internal control are in\ncompliance with the internal control objectives in OMB Bulletin No. 01-02, requiring that transactions be\nproperly recorded, processed, and summarized to permit the preparation of the consolidated and combined\nfinancial statements in accordance with accounting principles generally accepted in the United States of\nAmerica and that assets be safeguarded against loss from unauthorized acquisition, use or disposal, is fairly\nstated, in all material respects, as of September 30, 2002.\n\nHowever, we noted certain matters involving the internal control and its operation, set forth below, that we\nconsider to be a reportable condition under standards established by the AICPA and by OMB Bulletin No.\n01-02. A reportable condition is a matter coming to our attention relating to significant deficiencies in the\ndesign or operation of internal control that, in our judgment, could adversely affect the agency\xe2\x80\x99s ability to\nmeet the internal control objectives described above.\n\nA material weakness, as defined by the AICPA and OMB Bulletin No. 01-02, is a reportable condition in\nwhich the design or operation of one or more of the internal control components does not reduce to a\nrelatively low level the risk that misstatements in amounts that would be material in relation to the principal\nfinancial statements being audited or to a performance measure or aggregation of related performance\nmeasures may occur and not be detected within a timely period by employees in the normal course of\nperforming their assigned duties. We believe that the reportable condition that follows is not a material\nweakness as defined by the AICPA and OMB Bulletin No. 01-02.\n\x0cSSA Needs to Further Strengthen Controls to Protect Its Information:\n\nOver the past year SSA has made notable progress in addressing the information protection issues raised in\nprior years. Specifically, in fiscal year 2002 SSA has:\n\n\xe2\x80\xa2   Issued final \xe2\x80\x9crisk models\xe2\x80\x9d to standardize platform security configuration settings for the Windows NT,\n    Windows 2000, AS 400, Unix and WANG platforms;\n\xe2\x80\xa2   Established and implemented ongoing monitoring tools and procedures to ensure the consistency of\n    platform security configuration standards for the Windows NT, Windows 2000, AS 400, Unix and\n    WANG platforms;\n\xe2\x80\xa2   Established and implemented access based rule settings and standardized monitoring and logging\n    procedures for firewalls;\n\xe2\x80\xa2   Continued progress on the Standard Security Profile Project (SSPP - the project consists of a full scale\n    comparison of system user access assignments to job responsibilities to ensure propriety) and\n    expanded the SSPP to include non-IT employees;\n\xe2\x80\xa2   Continued progress on the Dataset Naming Standards project, including setting naming conventions,\n    determining tools for compliance and enforcement, and establishing data ownership;\n\xe2\x80\xa2   Strengthened physical security controls over Regional Office and Program Service Center offices; and\n\xe2\x80\xa2   Established and implemented procedures for enhanced review of security violations on the mainframe.\n\nThese enhancements have greatly improved the security over SSA\xe2\x80\x99s systems environment. However,\ncontinued effort is needed to complete the implementation of platform security configuration settings for\nNT, Windows 2000, AS 400, Unix and WANG platforms. Continued effort is also needed to review\nsecurity access assignments (SSPP), including (1) the full establishment of dataset naming conventions, (2)\nthe establishment of a dataset dictionary for existing datasets and transactions, (3) the identification of\nsystem and data owners and (4) the enforcement of the new dataset naming rules and standards for sensitive\nsystems. Specific disclosure of detailed information about these exposures might further compromise\ncontrols and are therefore not provided within this report. Rather, the specific details of weaknesses noted\nare presented in a separate, limited-distribution management letter.\n\nManagement has made and continues to make concerted efforts to address these issues; however, the full\nrollout of the risk models and the completion of the SSPP are time consuming tasks that will require\nsubstantial resources to complete. Further, the physical controls over the state Disability Determination\nServices sites continue to be a challenge because many of the sites are co-located with other state agencies\nor are housed in buildings with inherent physical security issues. Progress on the issue regarding\nmonitoring of security violations on the mainframe has already been made, but full use of the new\nprocedures needs to be demonstrated during fiscal year 2003.\n\nThe need for a strong security program to address threats to the security and integrity of SSA operations\ngrows and transforms as the agency continues to move ahead with plans to increase dependence on the\nInternet and Web-based applications to serve the American public. To more fully protect SSA from risks\nassociated with the loss of data, loss of other resources and/or compromised privacy of information\nassociated with SSA\xe2\x80\x99s enumeration, earnings, retirement, and disability processes and programs, SSA must\ncomplete the strengthening of its security program.\n\x0cRecommendations\n\nWe recommend that SSA explore methods to accelerate and continue to build on its progress to enhance\ninformation protection by continuing to implement the remaining portions of its entity-wide security\nprogram. Specifically, we recommend that SSA:\n\n\xe2\x80\xa2   Continue to follow established processes to conduct and enhance periodic risk assessments to identify\n    inherent vulnerabilities from emerging technologies across mainframe, midrange and distributed\n    systems;\n\xe2\x80\xa2   Implement cost-effective countermeasures to mitigate risk to an acceptable level, including effective\n    monitoring of systems to ensure currency of security configuration settings for all platforms;\n\xe2\x80\xa2   Continue to implement risk models to achieve compliance with SSA standard platform security\n    configuration settings;\n\xe2\x80\xa2   Accelerate the SSPP program to ensure that sensitive systems, as defined by SSA systems\n    accreditation and certification process, are adequately addressed regarding proper access assignments,\n    dataset naming standards, data ownership assignments and inclusion in the dataset dictionary;\n\xe2\x80\xa2   Ensure use of the new procedures for reviewing security violations on the mainframe;\n\xe2\x80\xa2   Ensure that employees with access to sensitive SSA data (soft or hardcopy) and equipment are\n    properly assessed to determine their eligibility for access to such resources;\n\xe2\x80\xa2   Coordinate contingency planning between program services center/regional office sites, disability\n    determination service sites and SSA central office functions and the national computer center; and,\n\xe2\x80\xa2   Continue to enhance the overall security policy for DDS sites and improve physical security controls\n    for the disability determination service sites.\n\nMore specific recommendations focused upon the individual exposures we identified are included in a\nseparate, limited-distribution management letter.\n\nWe noted other matters involving the internal control and its operation that we will communicate in a\nseparate letter.\n\nREPORT ON COMPLIANCE WITH LAWS AND REGULATIONS\n\nWe conducted our audit in accordance with auditing standards generally accepted in the United States of\nAmerica, the standards applicable to financial audits contained in Government Auditing Standards issued\nby the Comptroller General of the United States, and OMB Bulletin No. 01-02.\n\nThe management of SSA is responsible for complying with laws and regulations applicable to the agency.\nAs part of obtaining reasonable assurance about whether the agency\xe2\x80\x99s financial statements are free of\nmaterial misstatement, we performed tests of SSA\xe2\x80\x99s compliance with certain provisions of applicable laws\nand regulations, noncompliance with which could have a direct and material effect on the determination of\nfinancial statement amounts and certain other laws and regulations specified in OMB Bulletin No. 01-02,\nincluding the requirements referred to in the Federal Financial Management Improvement Act (FFMIA) of\n1996. We limited our tests of compliance to these provisions, and we did not test compliance with all laws\nand regulations applicable to SSA.\n\nThe results of our tests of compliance disclosed no instances of noncompliance with laws and regulations\ndiscussed in the preceding paragraph exclusive of FFMIA that are required to be reported under\nGovernment Auditing Standards or OMB Bulletin No. 01-02.\n\nUnder FFMIA, we are required to report whether SSA\xe2\x80\x99s financial management systems substantially\ncomply with the Federal financial management systems requirements, applicable Federal accounting\nstandards, and the United States Government Standard General Ledger at the transaction level. To meet\nthis requirement, we performed tests of compliance with FFMIA section 803(a) requirements.\n\x0cThe results of our tests disclosed no instances in which SSA\xe2\x80\x99s financial management systems did not\nsubstantially comply with the three requirements discussed in the preceding paragraph.\n\nThe objective of our audit of the financial statements was not to provide an opinion on overall compliance\nwith such provisions of laws and regulations and, accordingly, we do not express such an opinion.\n\nINTERNAL CONTROL RELATED TO KEY PERFORMANCE MEASURES\n\nWith respect to internal control related to those performance measures determined by management to be\nkey and included on pages 28 to 40 of this performance and accountability report, we obtained an\nunderstanding of the design of significant internal control relating to the existence and completeness\nassertions, and we determined that they have been placed in operation as required by OMB Bulletin No. 01-\n02. Our procedures were not designed to provide assurance on the internal control over reported\nperformance measures, and accordingly, we do not express an opinion on such control.\n\nOTHER INFORMATION\n\nOur audit was conducted for the purpose of forming an opinion on the consolidated and combined financial\nstatements of SSA taken as a whole. The other accompanying information included on pages 1 to 6, and 95\nto the end of this performance and accountability report, is presented for purposes of additional analysis\nand is not a required part of the consolidated and combined financial statements. Such information has not\nbeen subjected to the auditing procedures applied in the audit of the consolidated and combined financial\nstatements and, accordingly, we express no opinion on it.\n\nOur audit was conducted for the purpose of forming an opinion on the consolidated and combined financial\nstatements of SSA taken as a whole. The required supplementary information included on pages 7 to 48,\nand 76 of this performance and accountability report and the required supplementary stewardship\ninformation included on pages 77 to 94 of this performance and accountability report, is not a required part\nof the consolidated and combined financial statements but is supplementary information required by OMB\nBulletin No. 01-09 and the Federal Accounting Standards Advisory Board. We have applied certain limited\nprocedures to such information, which consisted principally of inquiries of management regarding the\nmethods of measurement and presentation of the supplementary information. However, we did not audit the\ninformation and express no opinion on it.\n\nOur audit was conducted for the purpose of forming an opinion on the consolidated and combined financial\nstatements of SSA taken as a whole. The consolidating and combining information included on pages 72 to\n74 of this performance and accountability report, is presented for purposes of additional analysis of the\nconsolidated and combined financial statements rather than to present the financial position, changes in net\nposition, and reconciliation of net cost to budgetary resources of the individuals SSA programs. The\nconsolidating and combining information has been subjected to the auditing procedures applied in the audit\nof the consolidated and combined financial statements and, in our opinion, is fairly stated in all material\nrespects in relation to the consolidated and combined financial statements taken as a whole.\n\nOur audit was conducted for the purpose of forming an opinion on the consolidated and combined financial\nstatements of SSA taken as a whole. The required supplementary information, Schedule of Budgetary\nResources, included on page 75 of this performance and accountability report, is not a required part of the\nconsolidated and combined financial statements but is supplementary information required by OMB\nBulletin No. 01-09. This information is also presented for purposes of additional analysis of the\nconsolidated and combined financial statements rather than to present the budgetary resources of the\nindividual SSA programs. This information has been subjected to the auditing procedures applied in the\naudit of the consolidated and combined financial statements and, in our opinion, is fairly stated in all\nmaterial respects in relation to the consolidated and combined financial statements taken as a whole.\n\x0c                                               *****\n\nThis report is intended solely for the information and use of the management and Inspector General of\nSSA, OMB, General Accounting Office and Congress and is not intended to be and should not be used by\nanyone other than these specified parties.\n\n\n\n\nWashington, DC\nNovember 14, 2002\n\x0c'